Analysis of the FluBot malware variant (locally named Voicemail)


A phishing attack via SMS that was recorded in our region during this week contains malicious software for Android, which is a version of FluBot, malware that steals bank data, and much, much more

Unfortunately, phishing attacks, a subsection of social engineering attacks that try to persuade the user to do something harmful to him, are more and more common. The other day a reported SMS attack, better known as smishing, is just further proof that we can never relax, at least when it comes to information security.
In smishing attempts, the attacker often tries to imitate banks, delivery services and teleoperators (which happened in our case), and the goal is, as always, to get something from the users. Whether it is, for example, gathering information or redirecting to websites that mimic legal services, the end result is often financial damage to the individual.
SMS, even if one would not think so, is an excellent vector of the initial attack because subconsciously SMS is something urgent. Because who still sends SMS?! Only delivery services and teleoperators. So when such a message appears, a lot of people will click links in its content.

Case study

flubot_SMS_android flubot_SMS_iphone
Our case that took place a few days ago sent text messages to users regardless of the operating system used by their mobile device (messages were received by Android and iOS users, although in fact, only those users with the Android operating system were targets of the attack). The content of the SMS informed users that they had one new voicemail.
Some cell phones automatically declared the message as undesired, but it was still possible to click on a link in its content. The link led to the application called Voicemail that the user had to install in order to listen to the voicemail - as already mentioned, the application worked exclusively on various Androids, so iOS users weren't in danger (at least, not this time).

With a lot of reports, the Incident Response team at Infigo IS downloaded the APK file (which contains programs that are installed on Android-powered phones), and while code was obfuscated, they disassembled it and looked at what it was doing, who was it contacting, and what other interesting details can be found.
flubot_01_action flubot_02_access

flubot_03_control flubot_04_allow
At the very beginning, it is interesting that a malicious program requires a lot of user will and perseverance - the user should first click on the link in the SMS, then download the Voicemail application, then try to install the application (and enable the option to install from an unknown source because Android automatically disables installation outside the official Google Play Store) and when it does, permissions need to be granted so that the program can run and start doing what it was made for. But regardless, there are users who have done it all.
app_permission
Static analysis (when analyzing malware, static analysis is the one that is performed without starting the program) showed that the application requires a lot of permissions, from reading the phonebook, sending SMS, making calls, but especially interesting is the permission to ignore battery optimizations which immediately suggests malware that runs in the background and hides from the user. This is extremely common with malware used to steal mobile banking information.

Dynamic analysis (done by running malware in a secure and isolated environment) shows that when the user launches the app, it seeks permissions through Android Accessibility, a subsystem that allows legitimate app authors to customize apps for users with disabilities. In this case, if the user gives that permission, the malicious software uses it to disable Play Protect, a system by which Google additionally protects users from installing harmful apps on their phones.

If the user has gone through all the steps and the application is running, it starts communicating with the remote C&C (Command & Control) server. The server serves as a checkpoint where the malicious application leaves read data from the mobile device (among those are all the contact information). Interestingly, the malware will not send SMS messages to all contacts, but will do it smarter through a more balanced approach - but regardless of which contacts it sends new SMS to, complete directories remain on the server. In other words, for any user who has unfortunately run this malware, all their contacts have been sent to a C&C server.
After that, the application actually receives an SMS message from the same C&C server to send, according to the user's geographical location (that's why we have messages in Croatian), as well as a list of target numbers to which the SMS will be sent. This explains why most messages are received from unknown (but correct) numbers.
In the case of "our" malware, it communicated with servers on Russian (.ru) domains via an encrypted connection. These particular servers are already known and have been used in attacks that began to occur in Spain last year; those servers contained a message in Russian for security analysts who managed to find them, along with a video of Russian politician Dmitry Medvedev.

The malware in question was named FluBot and at the end of last year in Spain, it managed to infect as many as 60,000 users and collect a total of 11 million phone numbers! As in our local case, it spread via SMS (a message from delivery services), and its goal was to steal user data, including access to mobile banking and credit card numbers.
Although the Spaniards managed to arrest four men in connection with this hacker attack, it is clear that this was not enough to stop it completely. We soon saw it spread across the rest of Europe and it is now recorded in Germany, the United Kingdom, Hungary, Poland, Italy, Norway, Sweden, Finland, Denmark, and the Netherlands, and as we can see, it has arrived in Croatia, if not the original FluBot, then some of its subvariant.
Our version, at least at this point in the analysis, did not have any components that would indicate attacks on Croatian banks, but it should be noted that attackers can easily add this functionality given that the malicious application uses the so-called overlay attack. This functionality is enabled through standard Android interfaces to an application that has high privileges - in the analyzed malicious code, this component works by downloading an HTML page from the C&C server that looks the same as the mobile banking login screen, after which it is displayed via a legitimate application when the user initiates it. In other words, when a (legitimate) mobile banking application is launched on an infected device, the malicious software will display an HTML page that looks identical but will ensure that the entered data is captured by the malicious application (and not by a legitimate mobile banking application).

It is currently unknown who is behind FluBot, but many indicators point to a hacker group from Russia that aims to steal data to access mobile banking and credit card numbers.

Analyzed malicious code technical data


APK file:
Voicemail7.apk

IOC:
SHA256: 269083a23a658f3a13b65026a8215814b8d2006e5a09d94ff89995ad7521c22d
Active C&C at the time of analysis: byxibafaytidrcd [dot] ru

How to protect yourself from phishing attacks


First of all, you need to recognize a phishing attack, no matter which channel it came from. The attackers usually try to get emotions high - as soon as you feel that something is urgent, that they will cancel all the bank accounts you ever had, that the revenue service is knocking on your door, that a package is waiting for you and if you don't reply in the next hour it will be gone forever, all of that suggests that someone want you to be stressed, and that will make you less careful. Only when you realize that you are a victim of an attack can you react properly - ignore the attempted attack (do not click on anything) and report it all to the corresponding service or supervisory body, whether it was the IT department or your teleoperator.
If you suspect that your mobile device is infected, it is often best to reset it to factory settings which should remove the malware (though this is not 100 percent reliable). Of course, such a device should never be used to access mobile banking or similar sensitive systems.